mirror of
https://github.com/tailscale/tailscale.git
synced 2025-01-07 08:07:42 +00:00
ipn/ipnlocal: add c2n method to get SSH username candidates
For control to fetch a list of Tailscale SSH username candidates to filter against the Tailnet's SSH policy to present some valid candidates to a user. Updates #3802 Updates tailscale/corp#7007 Change-Id: I3dce57b7a35e66891d5e5572e13ae6ef3c898498 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
parent
d8eb111ac8
commit
d045462dfb
@ -5,8 +5,11 @@
|
|||||||
package ipnlocal
|
package ipnlocal
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"encoding/json"
|
||||||
"io"
|
"io"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
|
||||||
|
"tailscale.com/tailcfg"
|
||||||
)
|
)
|
||||||
|
|
||||||
func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
|
func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
|
||||||
@ -15,6 +18,21 @@ func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
|
|||||||
// Test handler.
|
// Test handler.
|
||||||
body, _ := io.ReadAll(r.Body)
|
body, _ := io.ReadAll(r.Body)
|
||||||
w.Write(body)
|
w.Write(body)
|
||||||
|
case "/ssh/usernames":
|
||||||
|
var req tailcfg.C2NSSHUsernamesRequest
|
||||||
|
if r.Method == "POST" {
|
||||||
|
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
||||||
|
http.Error(w, err.Error(), http.StatusBadRequest)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
res, err := b.getSSHUsernames(&req)
|
||||||
|
if err != nil {
|
||||||
|
http.Error(w, err.Error(), 500)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
w.Header().Set("Content-Type", "application/json")
|
||||||
|
json.NewEncoder(w).Encode(res)
|
||||||
default:
|
default:
|
||||||
http.Error(w, "unknown c2n path", http.StatusBadRequest)
|
http.Error(w, "unknown c2n path", http.StatusBadRequest)
|
||||||
}
|
}
|
||||||
|
@ -19,11 +19,17 @@
|
|||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
|
"os/exec"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
|
"runtime"
|
||||||
"strings"
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
|
|
||||||
"github.com/tailscale/golang-x-crypto/ssh"
|
"github.com/tailscale/golang-x-crypto/ssh"
|
||||||
|
"go4.org/mem"
|
||||||
|
"golang.org/x/exp/slices"
|
||||||
|
"tailscale.com/tailcfg"
|
||||||
|
"tailscale.com/util/lineread"
|
||||||
"tailscale.com/util/mak"
|
"tailscale.com/util/mak"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -32,6 +38,77 @@
|
|||||||
// running as root.
|
// running as root.
|
||||||
var keyTypes = []string{"rsa", "ecdsa", "ed25519"}
|
var keyTypes = []string{"rsa", "ecdsa", "ed25519"}
|
||||||
|
|
||||||
|
func (b *LocalBackend) getSSHUsernames(req *tailcfg.C2NSSHUsernamesRequest) (*tailcfg.C2NSSHUsernamesResponse, error) {
|
||||||
|
res := new(tailcfg.C2NSSHUsernamesResponse)
|
||||||
|
|
||||||
|
b.mu.Lock()
|
||||||
|
defer b.mu.Unlock()
|
||||||
|
|
||||||
|
if b.sshServer == nil {
|
||||||
|
return res, nil
|
||||||
|
}
|
||||||
|
max := 10
|
||||||
|
if req != nil && req.Max != 0 {
|
||||||
|
max = req.Max
|
||||||
|
}
|
||||||
|
|
||||||
|
add := func(u string) {
|
||||||
|
if req != nil && req.Exclude[u] {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
switch u {
|
||||||
|
case "nobody", "daemon", "sync":
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if slices.Contains(res.Usernames, u) {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if len(res.Usernames) > max {
|
||||||
|
// Enough for a hint.
|
||||||
|
return
|
||||||
|
}
|
||||||
|
res.Usernames = append(res.Usernames, u)
|
||||||
|
}
|
||||||
|
|
||||||
|
if b.prefs != nil && b.prefs.OperatorUser != "" {
|
||||||
|
add(b.prefs.OperatorUser)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check popular usernames and see if they exist with a real shell.
|
||||||
|
switch runtime.GOOS {
|
||||||
|
case "darwin":
|
||||||
|
out, err := exec.Command("dscl", ".", "list", "/Users").Output()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
lineread.Reader(bytes.NewReader(out), func(line []byte) error {
|
||||||
|
line = bytes.TrimSpace(line)
|
||||||
|
if len(line) == 0 || line[0] == '_' {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
add(string(line))
|
||||||
|
return nil
|
||||||
|
})
|
||||||
|
default:
|
||||||
|
lineread.File("/etc/passwd", func(line []byte) error {
|
||||||
|
line = bytes.TrimSpace(line)
|
||||||
|
if len(line) == 0 || line[0] == '#' || line[0] == '_' {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
if mem.HasSuffix(mem.B(line), mem.S("/nologin")) ||
|
||||||
|
mem.HasSuffix(mem.B(line), mem.S("/false")) {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
colon := bytes.IndexByte(line, ':')
|
||||||
|
if colon != -1 {
|
||||||
|
add(string(line[:colon]))
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
})
|
||||||
|
}
|
||||||
|
return res, nil
|
||||||
|
}
|
||||||
|
|
||||||
func (b *LocalBackend) GetSSH_HostKeys() (keys []ssh.Signer, err error) {
|
func (b *LocalBackend) GetSSH_HostKeys() (keys []ssh.Signer, err error) {
|
||||||
var existing map[string]ssh.Signer
|
var existing map[string]ssh.Signer
|
||||||
if os.Geteuid() == 0 {
|
if os.Geteuid() == 0 {
|
||||||
|
@ -6,6 +6,16 @@
|
|||||||
|
|
||||||
package ipnlocal
|
package ipnlocal
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
|
||||||
|
"tailscale.com/tailcfg"
|
||||||
|
)
|
||||||
|
|
||||||
func (b *LocalBackend) getSSHHostKeyPublicStrings() []string {
|
func (b *LocalBackend) getSSHHostKeyPublicStrings() []string {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (b *LocalBackend) getSSHUsernames(*tailcfg.C2NSSHUsernamesRequest) (*tailcfg.C2NSSHUsernamesResponse, error) {
|
||||||
|
return nil, errors.New("not implemented")
|
||||||
|
}
|
||||||
|
@ -2,14 +2,18 @@
|
|||||||
// Use of this source code is governed by a BSD-style
|
// Use of this source code is governed by a BSD-style
|
||||||
// license that can be found in the LICENSE file.
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
//go:build linux
|
//go:build linux || (darwin && !ios)
|
||||||
// +build linux
|
// +build linux darwin,!ios
|
||||||
|
|
||||||
package ipnlocal
|
package ipnlocal
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"encoding/json"
|
||||||
"reflect"
|
"reflect"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
|
"tailscale.com/tailcfg"
|
||||||
|
"tailscale.com/util/must"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestSSHKeyGen(t *testing.T) {
|
func TestSSHKeyGen(t *testing.T) {
|
||||||
@ -40,3 +44,17 @@ func TestSSHKeyGen(t *testing.T) {
|
|||||||
t.Errorf("got different keys on second call")
|
t.Errorf("got different keys on second call")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type fakeSSHServer struct {
|
||||||
|
SSHServer
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestGetSSHUsernames(t *testing.T) {
|
||||||
|
b := new(LocalBackend)
|
||||||
|
b.sshServer = fakeSSHServer{}
|
||||||
|
res, err := b.getSSHUsernames(new(tailcfg.C2NSSHUsernamesRequest))
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
t.Logf("Got: %s", must.Get(json.Marshal(res)))
|
||||||
|
}
|
||||||
|
36
tailcfg/c2ntypes.go
Normal file
36
tailcfg/c2ntypes.go
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
// c2n (control-to-node) API types.
|
||||||
|
|
||||||
|
package tailcfg
|
||||||
|
|
||||||
|
// C2NSSHUsernamesRequest is the request for the /ssh/usernames.
|
||||||
|
// A GET request without a request body is equivalent to the zero value of this type.
|
||||||
|
// Otherwise, a POST request with a JSON-encoded request body is expected.
|
||||||
|
type C2NSSHUsernamesRequest struct {
|
||||||
|
// Exclude optionally specifies usernames to exclude
|
||||||
|
// from the response.
|
||||||
|
Exclude map[string]bool `json:",omitempty"`
|
||||||
|
|
||||||
|
// Max is the maximum number of usernames to return.
|
||||||
|
// If zero, a default limit is used.
|
||||||
|
Max int `json:",omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// C2NSSHUsernamesResponse is the response (from node to control) from the
|
||||||
|
// /ssh/usernames handler.
|
||||||
|
//
|
||||||
|
// It returns username auto-complete suggestions for a user to SSH to this node.
|
||||||
|
// It's only shown to people who already have SSH access to the node. If this
|
||||||
|
// returns multiple usernames, only the usernames that would have access per the
|
||||||
|
// tailnet's ACLs are shown to the user so as to not leak the existence of
|
||||||
|
// usernames.
|
||||||
|
type C2NSSHUsernamesResponse struct {
|
||||||
|
// Usernames is the list of usernames to suggest. If the machine has many
|
||||||
|
// users, this list may be truncated. If getting the list of usernames might
|
||||||
|
// be too slow or unavailable, this list might be empty. This is effectively
|
||||||
|
// just a best effort set of hints.
|
||||||
|
Usernames []string
|
||||||
|
}
|
Loading…
x
Reference in New Issue
Block a user